Untitled
stylingpanda
plain_text
a year ago
8.9 kB
5
Indexable
resource "aws_iam_role" "gitlab_dedicated_bamboo_agent" { name = "gitlab-dedicated-bamboo-agent" assume_role_policy = jsonencode({ Version = "2012-10-17", Statement = [{ Action = "sts:AssumeRole", Effect = "Allow", Principal = { Service = "ec2.amazonaws.com" } }] }) inline_policy { name = "CopyOfBambooDeployRolePolicy" policy = jsonencode({ Version = "2012-10-17" Statement: [ { Action: [ "s3:Get*", "s3:List*", "s3:PutObject*" ], Effect: "Allow", Resource: [ "*" ], Sid: "DeployS3Access" }, { Action: [ "s3:ListAllMyBuckets", "s3:CreateBucket" ], Effect: "Allow", Resource: [ "*" ], Sid: "DeployS3BucketAccess" }, { Action: [ "ec2:CreateSecurityGroup", "ec2:DeleteSecurityGroup", "ec2:DescribeSecurityGroups", "ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupIngress" ], Effect: "Allow", Resource: [ "*" ], Sid: "PackerSecurityGroupAccess" }, { Action: [ "ec2:CreateImage", "ec2:RegisterImage", "ec2:DeregisterImage", "ec2:DescribeImages" ], Effect: "Allow", Resource: [ "*" ], Sid: "PackerAMIAccess" }, { Action: [ "ec2:CreateSnapshot", "ec2:DeleteSnapshot", "ec2:DescribeSnapshots" ], Effect: "Allow", Resource: [ "*" ], Sid: "PackerSnapshotAccess" }, { Action: [ "ec2:RunInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:RebootInstances", "ec2:TerminateInstances", "ec2:DescribeInstances", "ec2:CreateTags" ], Effect: "Allow", Resource: [ "*" ], Sid: "PackerInstanceAccess" }, { Action: [ "ec2:CreateKeyPair", "ec2:DeleteKeyPair", "ec2:DescribeKeyPairs" ], Effect: "Allow", Resource: [ "*" ], Sid: "PackerKeyPairAccess" }, { Action: [ "s3:Get*", "s3:List*", "s3:PutObject*", "s3:DeleteObject*" ], Effect: "Allow", Resource: [ "*" ], Sid: "PackerS3Access" }, { Action: [ "s3:ListAllMyBuckets", "s3:CreateBucket" ], Effect: "Allow", Resource: [ "*" ], Sid: "PackerS3BucketAccess" }, { Action: [ "ec2:*" ], Effect: "Allow", Resource: [ "*" ], Sid: "EC2FullAccess" }, { Action: [ "ecr:*" ], Effect: "Allow", Resource: [ "*" ], Sid: "EcrPermissions" }, { Action: [ "cloudformation:*" ], Effect: "Allow", Resource: [ "*" ], Sid: "CloudformationPermissions" }, { Action: [ "backup:*", "backup-storage:MountCapsule", "kms:CreateGrant", "kms:GenerateDataKey", "kms:Decrypt", "kms:RetireGrant", "kms:DescribeKey" ], Effect: "Allow", Resource: [ "*" ], Sid: "BackupVaultPermissons" }, { Action: [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams", "logs:PutMetricFilter" ], Effect: "Allow", Resource: [ "arn:aws:logs:*:*:*" ], Sid: "AwsLogs" }, { Action: [ "iam:CreateRole", "iam:DeleteRolePolicy", "iam:GetRole", "iam:PutRolePolicy", "iam:DeleteRole", "iam:PassRole", "ecs:*", "eks:*", "elasticloadbalancing:*", "logs:DeleteLogGroup", "logs:DescribeLogGroups", "logs:PutRetentionPolicy", "autoscaling:*", "route53:*", "elasticache:*", "apigateway:*", "cloudfront:*", "sns:*", "sqs:*", "rds:*", "cloudwatch:*", "elasticfilesystem:*", "application-autoscaling:*", "dynamodb:*", "kms:Decrypt", "ssm:*", "lambda:*", "kafka:*", "acm:*", "events:*", "license-manager:*" ], Effect: "Allow", Resource: "*", Sid: "BambooExtraPermissions" }, { Action: [ "iam:CreateServiceLinkedRole" ], "Condition": { "StringEquals": { "iam:AWSServiceName": [ "autoscaling.amazonaws.com", "ec2scheduled.amazonaws.com", "elasticloadbalancing.amazonaws.com", "eks.amazonaws.com", "spot.amazonaws.com", "spotfleet.amazonaws.com", "transitgateway.amazonaws.com" ] } }, Effect: "Allow", Resource: "*", Sid: "eksCreateServiceRoles" }, { Action: [ "ssm:GetParameter", "ssm:GetParameters" ], Effect: "Allow", Resource: [ "arn:aws:ssm:*:336837717482:parameter/aws/*", "arn:aws:ssm:*::parameter/aws/*" ], Sid: "eksSsmParameterAccess" }, { Action: [ "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile", "iam:GetInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:GetRole", "iam:CreateRole", "iam:DeleteRole", "iam:AttachRolePolicy", "iam:PutRolePolicy", "iam:ListInstanceProfiles", "iam:AddRoleToInstanceProfile", "iam:ListInstanceProfilesForRole", "iam:PassRole", "iam:DetachRolePolicy", "iam:DeleteRolePolicy", "iam:GetRolePolicy", "iam:GetOpenIDConnectProvider", "iam:CreateOpenIDConnectProvider", "iam:DeleteOpenIDConnectProvider", "iam:ListAttachedRolePolicies", "iam:TagRole" ], Effect: "Allow", Resource: [ "arn:aws:iam::336837717482:instance-profile/eksctl-*", "arn:aws:iam::336837717482:role/eksctl-*", "arn:aws:iam::336837717482:oidc-provider/*", "arn:aws:iam::336837717482:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup", "arn:aws:iam::336837717482:role/eksctl-managed-*" ], Sid: "eksIamPermissions" }, { Action: [ "kinesis:*" ], Effect: "Allow", Resource: [ "*" ], Sid: "KinesisFullPermissions" }, { Action: [ "states:*" ], Effect: "Allow", Resource: [ "*" ], Sid: "StepfunctionPermissions" }, { Action: [ "secretsmanager:DescribeSecret", "secretsmanager:Get*", "secretsmanager:Create*", "secretsmanager:Put*", "secretsmanager:Update*", "secretsmanager:List*", "secretsmanager:TagResource", "secretsmanager:UntagResource", "secretsmanager:DeleteSecret" ], Effect: "Allow", Resource: [ "*" ], Sid: "SecretsmanagerPermissions" }, { Action: [ "ecr-public:GetAuthorizationToken", "sts:GetServiceBearerToken" ], Effect: "Allow", Resource: "*", Sid: "loadPublicEcr" } ] }) } }
Editor is loading...
Leave a Comment